US State AI Regulation in 2026: The Patchwork is Already Here
Colorado's SB 24-205 went live February 2026. California, Texas, Illinois, and New York have each picked a different lane. The patchwork is operational and federal preemption is not coming this year.
Federal AI legislation in the United States has been stalled since 2023. State legislatures have not waited. Colorado, California, Texas, Illinois, and New York have each moved on AI governance in different directions, and as of February 2026 the Colorado Artificial Intelligence Act is in force as the first comprehensive US state AI law. The patchwork enterprises feared in 2024 is operationally here in 2026.
This is the practical landscape — what enterprises building or deploying AI in the US actually have to comply with, where the laws overlap and where they conflict, and why federal preemption is unlikely to resolve it in the next 18 months.
Colorado SB 24-205: the first comprehensive US AI law#
The Colorado Artificial Intelligence Act, signed May 2024 and effective February 1, 2026, is the most consequential state AI law in force. It applies to developers and deployers of “high-risk artificial intelligence systems” — defined as systems that make or are a substantial factor in making consequential decisions in employment, education, financial services, healthcare, housing, insurance, legal services, and government services.
The core obligations track the EU AI Act’s structure but with a US administrative-law flavor. Developers must provide deployers with documentation sufficient for the deployer’s impact assessment. Deployers must conduct impact assessments, implement risk management programs, give consumers notice when AI is used in a consequential decision, and provide a right to correction and a right to appeal to human review for adverse decisions. Algorithmic discrimination is explicitly prohibited, with a duty of reasonable care to avoid it.
Enforcement sits with the Colorado Attorney General. There is no private right of action — a major difference from BIPA in Illinois. The AG can seek civil penalties up to 20,000 dollars per violation, with the usual injunctive relief.
The most quietly important detail is the rebuttable presumption: a deployer who follows the AG’s published rules and a recognized risk-management framework (NIST AI RMF is the obvious one) gets a rebuttable presumption of reasonable care. That has shaped the compliance market — the NIST framework went from soft guidance to operational anchor.
California: AB 2013, the SB 1047 saga, and the rest#
California’s regulatory approach has been targeted bills rather than a single comprehensive statute. AB 2013, signed September 2024 and effective January 2026, requires generative-AI developers to publish documentation of the training data — sources, copyright posture, whether personal information was included, and whether the data was purchased, licensed, or scraped. The disclosures must be on the developer’s website before the model is publicly released.
The bill that did not pass was SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act. Vetoed by Governor Newsom in September 2024 after passing both chambers, SB 1047 would have imposed safety-evaluation and shutdown-capability requirements on frontier model developers above a compute threshold. The veto message argued the bill was too focused on the largest models without addressing context-of-use risk; the politics were a fight between the AI safety community and a coalition of California-based AI companies. The framing matters because SB 1047’s replacement — the work of the Joint California Policy Working Group on AI Frontier Models, which delivered its final report in 2025 — has shaped the next round of California bills.
AB 1008 extended the CCPA to cover personal information stored in AI training data and model weights. SB 942, the California AI Transparency Act, requires AI-generated content provenance markers for covered providers. SB 896 created an AI office inside the Governor’s office for state-government AI use. The pattern is many narrower bills rather than one omnibus, which leaves the California posture more fragmented than Colorado’s.
Texas: HB 149, the Responsible AI Governance Act#
Texas signed HB 149, the Texas Responsible Artificial Intelligence Governance Act, in mid-2025 with most provisions effective January 2026. It is narrower than Colorado’s law — focused on prohibited uses (social scoring by state and local government, certain biometric uses), state-government AI procurement standards, and a sandbox for AI development in regulated sectors.
The most notable Texas innovation is the AI sandbox. Developers can apply for time-limited regulatory relief from specific Texas statutes when developing AI in healthcare, financial services, or insurance, in exchange for reporting and oversight commitments. The sandbox has had measurable uptake from healthcare AI startups using it to test ambient-scribe and decision-support products.
The Texas approach reflects a broader Republican-state policy preference: light-touch on private-sector AI, heavier guardrails on government AI, and explicit pro-innovation framing. Tennessee’s ELVIS Act on AI voice cloning and Utah’s AI Policy Act have similar shapes.
New York City Local Law 144 and the employment-AI lane#
NYC’s Local Law 144 — the Automated Employment Decision Tool law, effective July 2023 with enforcement from January 2024 — was the first comprehensive US AI employment law and remains the most-cited example of municipal AI regulation. It requires bias audits of AEDTs used in NYC hiring, public disclosure of the audit summary, and candidate notice.
The law’s actual enforcement has been modest. The Department of Consumer and Worker Protection has pursued a small number of cases, mostly around the candidate-notice requirements. The bias-audit market grew up around the law — Holistic AI, BABL AI, ORCAA — and the audit methodology has become a quasi-standard referenced by Colorado and other states.
New York State’s broader AI agenda has been slower. Proposed state-level legislation on automated decision systems has been reintroduced multiple sessions; nothing comprehensive has cleared. The state’s focus has been on government AI use through the Department of State and on sectoral regulators (DFS for financial services AI, the Department of Health for healthcare AI).
Illinois BIPA and the biometric lane#
The Illinois Biometric Information Privacy Act, enacted 2008, is not an AI-specific law but is the most consequential US biometric statute and has shaped how facial-recognition and voiceprint AI is deployed in the US. The 2022 Rosenbach decision and the 2023 Cothron decision established that BIPA violations are per-scan, not per-individual — and the resulting damages math has driven hundreds of millions of dollars in class-action settlements.
The 2024 amendments tempered the per-scan rule somewhat — a single course of conduct now generally yields one violation per individual rather than per scan — but did not change the underlying liquidated-damages structure. BIPA remains the reason most major employers do not deploy facial recognition for time-and-attendance in Illinois, and the reason consumer voice-assistant products handle voiceprints carefully.
For AI builders, the BIPA pattern matters because it is the one US AI-adjacent regime with a private right of action and meaningful damages. Texas, Washington, and a few other states have biometric privacy statutes; none have the litigation track record of BIPA.
The preemption debate#
Industry groups have lobbied for federal preemption of state AI laws on the GDPR-versus-state-privacy-law model. The argument is straightforward: a patchwork of 50 state regimes is operationally expensive for any company building AI products at national scale. The counterargument from state attorneys general and consumer groups is equally straightforward: federal law in this area is thin and would lock in a low compliance floor.
The Trump administration’s January 2025 AI executive order — replacing the Biden 2023 order — directed agencies to identify state laws that impede federal AI policy, but did not itself preempt anything. Standalone federal AI legislation has not advanced. The realistic 2026 outlook is no federal preemption and continued state activity.
The operational answer for enterprises: build for the most stringent regime (currently Colorado on the comprehensive side, BIPA on the biometric side, NYC Local Law 144 on the employment side) and accept that compliance variance below that ceiling is the price of doing business.
What enterprises are doing in 2026#
The compliance pattern across our US enterprise clients converges on a few moves. NIST AI RMF as the documented framework — both because Colorado treats it as a presumption anchor and because it is the path of least friction for federal-government adjacent work. A single national AI governance program rather than parallel state programs, scoped to the most demanding state’s requirements. An AI inventory tied to the GDPR-style data inventory, with risk-tier classification under Colorado’s definitions. Bias and impact assessments standardized on a template that satisfies Colorado, NYC, and the NIST framework simultaneously. Vendor management on foundation-model providers that asks for the documentation those providers are increasingly used to producing.
The state-by-state variation is real but mostly lives at the edges. The core posture is one program.
Where pdpspectra fits#
Our enterprise AI engineering practice builds the compliance scaffolding alongside the AI systems — the NIST-aligned documentation, the impact-assessment templates, and the monitoring stack that makes multi-state US compliance operational rather than aspirational.
Related reading: EU AI Act enforcement in 2026, enterprise AI rollout roadmap, and bedrock vs OpenAI vs Anthropic.
The US AI regulation patchwork is operational. Talk to our team about a unified compliance posture that covers Colorado, California, Texas, and the federal AI policy direction.